[ISN] Lax IT Security Threatens Theft Of Personal And Other
Sensitive Data From Government Systems
InfoSec News
isn at c4i.org
Fri Mar 25 04:33:19 EST 2005
http://informationweek.com/story/showArticle.jhtml?articleID=159905569
By Eric Chabrow
InformationWeek
March 24, 2005
Personal data held in a government database is at increased risk of
unauthorized disclosure, modification, or loss--possibly without
anyone knowing, government auditors reported Thursday. The Government
Accountability Office, the investigative arm of Congress, contends the
Securities and Exchange Commission hasn't effectively implemented IT
controls to protect the integrity, confidentiality, and availability
of its financial and sensitive data.
Specifically, the GAO says in a 29-page report--addressed to SEC
chairman William Donaldson--that the SEC hadn't consistently
implemented effective electronic access controls, including user
accounts and passwords, access rights and permissions, network
security, and audit and monitoring of security-relevant events to
prevent, limit, and detect access to its critical financial and
sensitive systems.
In addition, the report says, weaknesses in other information system
controls, including physical security, segregation of computer
functions, application change controls, and service continuity,
further increase risk to the SEC's information systems. "As a result,
sensitive data--including payroll and financial transactions,
personnel data, regulatory, and other mission-critical
information--were at increased risk of unauthorized disclosure,
modification, or loss, possibly without detection," Gregory Wilshusen,
the GAO's director of information security issues, wrote in the
report.
A major factor for the SEC's IT control weaknesses is that the
commission hasn't fully developed and implemented a comprehensive
agency information security program to provide reasonable assurance
that effective controls are established and maintained and that
information security receives sufficient management attention,
Wilshusen says. Although the SEC has taken some actions to improve
security management, including establishing a central
security-management function and appointing a senior information
security officer to manage the program, it had not clearly defined
roles and responsibilities for security personnel.
In addition, the GAO says, the SEC had not fully assessed its risks,
established or implemented security policies, promoted security
awareness, and tested and evaluated the effectiveness of its
information system controls. The commission doesn't have a solid
foundation for resolving existing information system control
weaknesses and continuously managing information security risks,
Wilshusen says.
In response, the SEC agreed with the GAO recommendations that the
commission's, CIO Corey Booth, move to fully develop and implement an
effective, agencywide information security program. In a letter to
Wilshusen, Booth assured the GAO that the SEC already is addressing
the problems raised by congressional auditors.
More information about the ISN
mailing list